In autumn 2019, the so-called “Lex Apple Pay” was introduced as Section 58a German Payment Services Supervisory Act (“ZAG”) in a cloak and dagger operation (cf. Article Lex Apple Pay / Podcast Lex Apple Pay). The intention was to force Apple to open the interface in the iPhone for German banks. Perhaps Apple was still too expensive and unwieldy, so apparently, the German legislator feels compelled to step in again. This week the new law will be discussed in the Finance Committee of the German parliament.
What is planned for Lex Apple Pay 2?
As is often the case with sequels, the second part is worse than the first. Since in this case the first part was already a messed-up act, now it’s going to be really bad. The wording of the draft law looks as follows:
Section 58a Access to technical infrastructure services in the provision of payment services or the operation of the e-money business
(1) An undertaking which contributes to the provision of payment services or the operation of electronic money business in Germany by means of technical infrastructure services (system undertaking) shall, upon request by a payment service provider within the meaning of section 1(1), first sentence, numbers 1 to 3 or an electronic money issuer within the meaning of section 1(2), first sentence, numbers 1 or 2, be obliged to make these technical infrastructure services available for an appropriate fee against reimbursement of actual costs resulting from granting access without delay and using appropriate access conditions of a standardised technical interface to all end devices. appropriate fee The provision within the meaning of sentence 1 must be designed in such a way that the requesting enterprise can provide or operate its payment services or e-money transactions without hindrance and functional equality is guaranteed.
(2) Paragraph 1 shall not apply if, at the time of the request, the system operator is not an undertaking whose technical infrastructure services are used by more than 10 payment service providers within the meaning of Article 1(1), first sentence, numbers 1 to 3 or electronic money issuers within the meaning of Article 1(2), first sentence, numbers 1 or 2 or which has more than 2 million registered users.
(3) By way of exception, the system enterprise shall not be obliged in accordance with paragraph 1 if there are objectively justified reasons for refusing to make the service available. Such reasons shall exist in particular if the system enterprise can prove that the security and integrity of the technical infrastructure services is specifically endangered by the provision. The refusal must be justified in a comprehensible manner.
(4) If a system enterprise culpably violates paragraph 1, it shall be obliged to compensate the requesting enterprise for the resulting damage. The ordinary legal process is given.
(5) The duties and responsibilities of the cartel authorities under the Act against Restraints of Competition shall remain unaffected.
In short, this means that companies that provide technical infrastructure services that are used by more than 10 payment service providers or that have more than 2 million users must compulsorily offer a standardized technical interface to all end devices. In principle, the interface must be offered free of charge to all requesting payment service providers; only the costs of access (e.g. not development) may be charged.
This interface must also ensure functional equality. As an example, it is mentioned that access to other hardware components such as key assignment (volume button, home button) or the authentication units (facial recognition, fingerprint sensor) must also be offered.
The system enterprise may not refuse access, not even for security reasons. The previous paragraph 3 is deleted without replacement. The reason given is that “the use of a standardized interface increases the security and integrity of the technical infrastructure services of a system enterprise.”
In particular, the last statement from the draft legislative notes causes surprise among IT experts. Just because an interface is standardized does not make a system more secure. It will also be interesting to see whether it is really legally possible that German lawmakers prescribe that companies may no longer use proprietary interfaces even if they are not meeting any market share threshold under anti-trust law.
What’s all this good for?
Of course, one can be critical of the market power of the big digital companies and also of Apple’s policy of sealing off its interface. But instead of proceeding at the European level with the means of antitrust law and a uniform approach in the European market, it appears to be a special case of misguided protectionism to create a German regulation that is technically and legally systematically flawed and constitutionally vulnerable. No wonder that these amendments are not even discussed in public beforehand but were introduced into the meeting of the Finance Committee at the last minute.
Always look on the bright side
But here, too, it is important to see the bright side of things, because with mandatorily open interfaces and free access, new business models are also emerging.
Here are a few ideas for founders:
The interfaces of the girocard will now be open to any payment institution that requests them. There should then no longer be a certification required for this, because that would not be compatible with § 58a ZAG. This would allow, for example, simple age verification options via access to the NFC interface.
It would also be conceivable to generate a PIN authorization of the girocard via the interface and thus a direct debit mandate could be created on the smartphone that would be a real e-mandate with proof of authorization.
Business models that access the authorization interfaces of banks to enable strong customer authentication, e.g. in a user-friendly way as a third-party provider via the smartphone, could also be very interesting.
It would also be conceivable that every payment service provider could have access to the Toll Collect terminals. After all, these terminals are used to process payment services and certainly have more than 2 million users.
That wasn’t the idea?
If the law is changed in this way, then the thinking about the possibilities will only begin. In any case, everyone who may be deemed a system undertaking should start to work on their interfaces. The new law (if passed) will be effective on 1 January 2022.
Cover picture: Copyright © Adobe / orelphoto